Emulated mobile devices used to steal millions from US, EU banks

Threat actors behind an ongoing worldwide mobile banking fraud campaign were able to steal millions from multiple US and EU banks, needing just a few days for each attack.

To do that, the attackers used huge emulator farms that helped them access thousands of hacked accounts (compromised after phishing or malware attacks) using spoofed mobile devices.

While emulators are not malicious tools, the group behind this campaign used them for malicious purposes emulating compromised devices or setting up what looked like new devices picked up by the compromised accounts' owners.

For setting up the emulated devices, the attackers used a dedicated tool capable of feeding device specs from a database of previously compromised devices, matching each of the spoofed devices with the account holder's banking credentials.

The mobile emulator farm was even able to spoof a compromised device's GPS location using virtual private network (VPN) services to hide the malicious activity from the bank.

Emulator stats
Data slices from emulator used to spoof over 8,000 devices (IBM Trusteer)

"The scale of this operation is one that has never been seen before, in some cases, over 20 emulators were used in the spoofing of well over 16,000 compromised devices," IBM Trusteer researchers Shachar Gritzman and Limor Kessem revealed in a report published earlier today.

"The attackers use these emulators to repeatedly access thousands of customer accounts and end up stealing millions of dollars in a matter of just a few days in each case. After one spree, the attackers shut down the operation, wipe traces, and prepare for the next attack."

The cybercrime gang — a group with access to mobile malware developers and highly skilled in fraud and money laundering akin to the TrickBot and Evil Corp gangs — was able to pull off multiple attacks undetected via mobile account takeover using:

  • Access to account holders’ usernames and passwords
  • Access to device identifiers and data likely gathered via compromised mobile devices.
  • Some ability to obtain SMS message contents.
  • A customized automation environment tailored to targeted applications and the logical flow of events to approve transactions.
  • A set of virtual mobile emulators, dozens in each case, to amplify the ability to spoof a larger number of devices and cycle through new ones rapidly and at scale.
  • Customized network interception scripts that communicated with the targeted application’s API. These interceptions both submitted transactions and also monitored communications to ensure that the fraud was not being detected.

During the attacks, the group monitored activity on the compromised banking accounts in real-time to make sure that their fraud attempts were not detected.

If anything went wrong and their attack was in danger of being exposed, they could act in real-time to warnings sent to their command-and-control servers, either modifying their tactics or abruptly shutting down the operation and immediately wiping out any traces.

After the campaign was detected by IBM Trusteer researchers, the cybercrime group didn't stop the attacks but instead updated its tactics which is "indicative of an ongoing operation that is perfecting the process of mobile banking fraud."

"This mobile fraud operation managed to automate the process of accessing accounts, initiating a transaction, receiving and stealing a second factor (SMS in this case) and in many cases using those codes to complete illicit transactions," the IBM Trusteer report says.

"The data sources, scripts and customized applications the gang created flowed in one automated process which provided speed that allowed them to rob millions of dollars from each victimized bank within a matter of days."

To defend against future attacks using the same tactics, you should avoid rooting or jailbreaking their devices, keep them updated at all times, only install apps from official app stores and legitimate developers.

Additionally, you should never give course to questions or information received via unsolicited text messages and always check bank statements for suspicious activity.

Related Articles:

Scammer sentenced for stealing $9M from adoption, automotive firms

IRS announces move to protect businesses from identity theft

CISA: Hackers breached US govt using more than SolarWinds backdoor

FBI, CISA officially confirm US govt hacks after SolarWinds breach

US govt, FireEye breached after SolarWinds supply-chain attack